vulnerable to a high priority Broken Access Control

Thank you for reaching out. We completely understand your concern regarding the recently disclosed security vulnerability in Orderable. Security is a top priority for us, and we want to give you the exact facts of the situation and how to resolve it.

What is the issue?
We recently identified a security bug related to the Orderable onboarding process. Specifically, a missing permissions check in the function used to install WooCommerce during the onboarding process could potentially allow a logged-in user (such as a Subscriber) to install plugins without proper administrative authorization.

Are sites actively being attacked?
To date, we have no reports of this vulnerability being exploited in the wild.

How is it resolved?
We have successfully patched this vulnerability. A hotfix—version 1.20.1 —has been released and is available for download right now.

What you must do:
We strongly advise you to update your Orderable plugin to the latest version immediately to secure your site. You can do this directly from your WordPress admin dashboard by navigating to Plugins > Installed Plugins and clicking “Update Now” beneath Orderable.

Please let us know if you need any assistance running the update or if you have any further questions. We are here to help.

• This reply was modified 2 months, 2 weeks ago by Orderable.